RSA 2025: AI’s Promise vs. Security’s Past — A Reality Check” – Source: securityboulevard.com

May 16, 2025
Post Author / Publisher: Security Boulevard

CISO2CISO post categories: 2025, Cyber Security News, rsa, RSA 2025, RSA Conference, rss-feed-post-generator-echo, Security Bloggers Network, Security Boulevard

Rate this post

Source: securityboulevard.com – Author: Anton Chuvakin

RSA 2025: AI’s Promise vs. Security’s Past — A Reality Check

Ah, RSA. That yearly theater (Carnival? Circus? Orgy? Got any better synonyms, Gemini?) of 44,000 people vaguely (hi salespeople!) related to cybersecurity … where the air is thick with buzzwords and the vendor halls echo with promises of a massive revolution — every year.

And this year, of course, the primary driver was (still) AI. To put it in a culinary analogy — as it is well known, I like my analogies well-done — if last year’s event felt like a hopeful wait for a steak (“where’s the beef?”), this year feels like we got served a plate with a lot of garnish. Very visually stimulating garnish. But still no meat.

And I still can’t shake the feeling that in a year we might be in the same place. Hopefully not.

But let’s break it down. Just like a good stew, let’s delve (guess who wrote this sentence?) into the ingredients that made up RSA 2025.

1. The AI Hype Train: All Aboard! (But Where Are We Going?)

First off, let’s address the elephant in the room, or rather, the “hype-intelligent” [A.C. — I wrote this joke, not AI, cool typo, eh?] chatbot in the cloud: AI. Everyone and their grandmother seemed to have an “AI-powered” solution, some even went further for “AI-native” (more on this particular creation later).

Booths were festooned with AI logos, and conversations invariably veered towards gen AI and… yes… agentic AI too (so 2025 of them!). It was as if vendors had discovered again magical incantation that could solve all cybersecurity woes. “Add AI and bam!”, or something like that. Like perhaps zero trust in 2022 or so?

But here’s the rub: under the surface, how much was “sizzle” and how much was “steak”? As noted, many discussions felt like “AI addressable” rather than “AI solvable” (the idea for this term comes from this podcast episode, coined by Eric Foster of Tenex.AI … yes… AI). Which means, sure, we can point AI at a problem, but AI is not actually solving it completely and requires humans to do a non-trivial amount of work. But it does help!

You know those “agentic use cases”? Those real-world game changer use cases that actually deliver significant benefits right now? I was looking for them. And I didn’t find many. In fact, I didn’t find even a single robust one. And we really looked!

We saw a lot of people imagining the future of security, and I saw not much evidence of solid outcomes in the present. A lot of vendors slapped AI mentions onto their existing products (OK, some just onto their booths!), creating what I like to call “AI washing” or gratuitous mentions of AI.

So many AI applications in MDR (Managed Detection and Response) were “AI addressable but not AI solvable.” And let’s talk for a moment about the whole “AI SOC” concept. This is the dream we keep chasing. It echoes the promises made with SOAR (Security Orchestration, Automation, and Response) systems of yesteryear.

Frankly, the more I look at the “AI SOC” vendors with their “triage agents” (just $10 per alert! buy now!) the more I see SOAR circa 2015. These guys are marching towards the same general path that SOAR treaded 10 years ago, much powered by modern tools yet veering towards the same ditch…

Remember when SOAR was supposed to automate everything, eliminating the need for human intervention in security operations? How did that work out? Turns out you still need humans to remediate and interpret the (dirty) data, and deal with messed up IT environments. And I see the “AI SOC” is in danger of repeating the exact same trajectory. The idea of a fully automated security operations center powered by AI is just not realistic at all today.

So “AI in a SOC” — strong YES, “AI SOC” — hard no!

You still need people, humans, the real ones, to deal with the complicated situations, understand the context, use tribal knowledge, and make hard decisions. At most those “AI SOC” can give guidance — “LLM says, hey, you guys should consider doing blah, blah, blah” but it is ultimately humans who make the final call and do things. Today this is true. Please ask me again after RSA 2026…

2. The Resilience of the Past: What is Dead May Never Die (Or at Least Takes a Very Long Time to Do So)

Another striking observation was the continued presence and resilience of “legacy” technologies and vendors (some parallels to RSA 2022, as I recall). Think about it: many vendor names that a security manager from 2004 would recognize (or their merged and renamed descendants) were still prominent on the show floor.

Mobile security, our favorite example of a security island merging with the mainland, also appeared, though not as a central theme. It seemed like many technologies thought to be on their last legs are, well, not. I was wondering who buys from “3rd tier AV vendors” or from “54th tier SIEM” vendors? What keeps them afloat? Well, I think part of it is explained by the concept of “change budget” concept, that some of my Deloitte colleagues used to explain.

Essentially, organizations have a limited capacity for change, and when they finally update one security solution, they might not have the resources or will to update others, no matter the need. We do not have capacity to change everything, all at once. Change fatigue is real!

And this inertia allows older technologies to persist, even if better alternatives are available. Change is just hard. And companies keep sticking with what is familiar and what just “works” (even if it really doesn’t). It might be inefficient, it might be outdated, but it is here and is already integrated to other systems. Which, of course, creates even more “fun” problems! Just imagine, there are still some people somewhere working with COBOL and Windows 2003. Terrifying, indeed!

3. The Security of AI: Protecting the Protector

An ironic twist in this AI-palooza was the relative scarcity of discussions on securing AI itself (we did a fun presentation on this BTW). While everyone was touting AI’s ability to defend systems, not enough attention was paid to defending AI systems themselves. Are we going back to the “WAF-but-for-AI” type solution? Will we build special boxes to protect those AI systems? I hope not as that would be the wrong approach. As somebody said “‘known bad’ filtering never truly works” (sounds like Marcus Ranum?)

If AI is to become a critical part of our cybersecurity infrastructure, we must ensure it is robust and resilient against attacks. But I think the relative lack of focus on this area meant that buyers aren’t ready to buy AI security or haven’t even considered it at this stage.

Think for a moment: you are ready to deploy “AI for security” but you are not yet ready to “secure AI” — including that AI you just deployed for security. Please get terrified already!

4. Quick Hits and Hallway Chatter

Beyond the big themes, a few other observations:

Cloud Security: Wiz continued to market itself with a focus on brand recognition, perhaps showing how a powerful brand is cutting through the show’s noise. Their booth messaging focused on “Hi, we’re Wiz” and jokes, rather than detailing capabilities. So we seem to be in the “platforming” stage of cloud security.
SecOps/SOAR/SIEM: “AI Native” is now a thing , but its advantages over just “AI capabilities added to existing platforms” are still debated. Can we have an “AI native SIEM” or “AI native SOAR”? I think we will see many attempts, but the actual value here is yet to be proven. The jury is still out. Far out.
Pipelines: There are many vendors focused on log and telemetry collection pipelines, with some claiming to be faster or have better UX than existing solutions. The need is real, but whether we need a dozen such vendors remains to be seen.
Misc: There were goats , puppies, and unfortunately no bees. Also, some vendors were “shredding” or “destroying” adversaries. Which sounds fun, but maybe not that practical in real world? And I really missed the NSA booth and Enigma machines. Maybe next time? We did ask somebody in the FBI booth about the NSA booth and we got an epic eye roll as a response…

Random Hot Take (Sorry, Gemini Thinks I Needed One!)

I have a strong feeling that in a year, at RSA 2026 we might be having the same discussions. We might be again waiting for a “steak” while getting a lot of “sizzle”. We might be talking again about how “AI will fix everything” without actually seeing it fixed. We might be looking at the same old technologies staying alive for another year. I really hope I am wrong. I really want the real “game changer” AI use cases to finally emerge. We will see…

You can check out our related presentations from the conference:

RSA Conference 2025 Session “Shadow AI”
RSA Conference 2025 Session “Data as Code for Securing AI”
RSA Conference 2025 Session “Clouds Are Secure: Are You Using Them Securely?”

And don’t forget to listen to the recap podcast that inspired some of these thoughts!

RSA 2025: AI’s Promise vs. Security’s Past — A Reality Check” was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/rsa-2025-ais-promise-vs-security-s-past-a-reality-check-e06deb3bd579?source=rss-11065c9e943e——2

Original Post URL: https://securityboulevard.com/2025/05/rsa-2025-ais-promise-vs-securitys-past-a-reality-check/?utm_source=rss&utm_medium=rss&utm_campaign=rsa-2025-ais-promise-vs-securitys-past-a-reality-check

Category & Tags: Security Bloggers Network,2025,rsa,RSA 2025,RSA Conference – Security Bloggers Network,2025,rsa,RSA 2025,RSA Conference